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(54) System and method for providing peer level access control on a network 



(57) A system and method for providing peer-level 
access control on networl^ that carry packets of infor- 
mation, each packet having a 5-tuple having a source 
and destination address, a source arKi destination port 
and a protocol identifier. The local rule base of a peer is 
dynamically loaded into a filter when the peer is authen- 
ticated, and ejected when the peer is loses authentica- 
tion. The local rule base is efficiently searched through 
the use of hash tables wherein a hashed peer network 
address serves as a pointer the peer's local rules. Each 
rule comprises a 5-tuple and an action. The action of a 
rule is can-ied out on a packet when the 5-tuple of the 
rule corresponds to the 5-tuple of the packet. 
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Description 

neid of the Invention 

5 This invention relates to information systems security, in particular to providing access control between one set of 

automated information systems and another. 

Background of the Invention 

10 known methods for implementing access control for a specific computer on a network are cumbersome and inflex- 
it>le because access rules must be coded and entered by hand by a system administrator. This is impractical tor net- 
works whose members change frequently, or whose members' security needs change frequently. 

Effective infomnation systems security prevents the unauthorized disclosure, modification or execution of an auto- 
mated information system's (AIS) data and processes. As used here, the term AIS refers to a computer, network of 
15 corrputers. internetwork of computers, or any subset thereof. The term "data" refers to any information resident on an 
AIS. including files and programs. The term "processes'* refers to programs in any stage of execution on an AIS. 

A "host" is a computer with an assigned network address, e.g., an Internet Protocol (IP) address. A "user" is a com- 
puter that does not have a fixed, assigned network address. To obtain connectivity to the Internet, for example, a user 
must commonly obtain a temporary IP address from a host with a pool of such addresses. Such a temporary IP address 
20 is retained by the user only for the duration of a single session of connectivity with the Internet. 

Information flows in certain networks in packets. A "packet" is a quantum of information that that has a header con- 
taining a source and a destination address. An example of a packet is an IP packet. Packets such as IP packets have 
a network protocol identifier ("protocol") as a part of packet header. The protocol identifies the version number of the 
protocol used to route the packet. An example of a network protocol identifier is the IP protocol field in an IP packet 
25 header. 

Packets on a network are directed to and from ports. A "port" is a logical address within a computer through which 
a process executing on the computer communicates with other executing processes. These other processes may 
reside on the same computer, or on other networked conrputers. 

Information systems security is implemented by means of a security policy, which conrprises rules directed towards 

30 regulating the flow of information in an AIS. The rules of a security policy are emfc>odied in a "rule base." a set of rules 
that specify whether a packet should be passed to the intended recipient or dropped based upon the packet's identifier. 
A packet identifier is data generally carried in the packet header that serves to identify the packet. An example of a 
packet identifier is a circuit nurr^er, which occurs in the headers of packets ftowing in connection-oriented (i.e., circuit- 
switched) packet switched networks. Another example of a packet identifier is a packet 5-tuple. which is the packet's 

35 source and destination address, source and destination port, and protocol. Packets with 5-tuples flow in connectionless 
packet switched networks. 

A rule base may be glot>al or local. A global rule base is a uniform set of rules (**global rules") that apply to a group 
of users, hosts, or t>oth. A local rule base is a set of rules ("local rules") that apply to a single i^er with a temporary 
network address or a host. A single user with a temporary network address or a host that has its own rule base is called 
40 a "peer." 

Another means for implementing security policy is to restrict access to a network to a predetermined set of users 
and hosts. When a user or host requests access, its identity must be estat>lished and verified before access is granted. 
This process implicates two steps: identification and authentication. 

FIQ 1 shows one method of identrf ication and eiuthentication in the form of a flow chart with eac^ step designated 

45 by a reference numeral. A first step requires a source of information to identify itself by name by supplying a string of 
data called a user id 10. To prevent an imposter from obtaining the privileges associated with a given user id, the user 
behind the user id is verified by requiring it to provide a password 1 1 that is normally kept confidential. Such verification 
is called "authentication." The AIS checks the combination of source id and password against a list of valid users, 12. 
When the AIS recognizes a valid user id and corresponding pasovord. a user or host is said to have been identified and 

so authenticated 14. OthenMse, the request for access is denied 13. Hereinafter, a source that has been identified and 
authenticated will be said to have been "authenticated" for purposes of brevity. 

A security policy rule base is implemented on a network using a device called a filter conprising hardware and soft- 
ware. The rule base is loaded into the filter, which receives packets en route (between their source and destination) and 
checks the identifier of each packet again^ the identifier contained in each rule of the rule base for a match, i.e., if the 

55 packet corresponds to the rule. A packet corresponds to a rule if the rule applies to the packet. Hence, a rule that is 
meant to apply to packets with a circuit number of 3254, for example, "corresponds" to all packets with a packet identi- 
fier that indicates circuit number 3254. If the network packet identifier con^esponds to a rule identifier, the filter can-ies 
out the PASS or DROP action prescribed by the rule on the packet. If the PASS action is carried out. the packet is 
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allowed to pass through the filter. If the DROP action is carried out. the packet is eliminated. 

A filter is often combined with other hardware and software that helps manage the f bw of information through the 
filter. The combination of hardware and softwarelhat carries out and supports packet filtering Is called a f irewafl. A fire- 
wall is often positioned between a first network that "owns" the firewall and a second network. The purpose of the f ire- 

5 wail is to regulate the f tow of information into and out of the first network from the second network by implementing the 
rule base t)el(ynging to the first network for all such information. 

A typical application of a firewall is shown in FIG 2. A corporate network 20 may wish to prcvkle access to Internet 
hosts 21 to its subscribers, kHJt may wish to limit the access that the Internet hosts 21 have to the corporate network 20. 
which may contain trade secrets and proprietary information. The corporate network 20 would develop a security policy 

10 implemented by a firewall 22 placed at the interface between the corporate network 20 and the Internet hosts 21 . The 
firewall 22 comprises a filter 23 that would PASS or DROP packets from Internet hosts 21 to corporate network sub- 
scribers 20 and vice versa based upon the packets' source and destination addresses. The firewall is said to belong to 
the corporate network, and enforces rules that "protect" hosts within the corporate network that have IP address^. 
Such hosts are said to be Isehind" the corporate network firewall. 

15 An example of a rule base for corporate network 20 having hosts A 24, B 25 and C 26. connected through a firewall 
22 to the Internet having hosts Q 27, H 28 and 1 29 is as follows: 



SOURCE Address. Port 


DESTINATION Address. 
Port 


VERSION 


ACTION 


A,21 


G.32 


4 


PASS 


A.22 


H,19 


3 


DROP 


G,11 


A,64 


4 


DROP 


C.9 


1.23 


4 


PASS 



30 Every rule base must also have a default action for transactions that are not explicitly specified in the rule base, 
which is usually the DROP action. Thus, packets from system A,21 to system G.33 will be dropped because the above 
rule base does not expressly include a rule for such a transfer. 

A typical architecture for providing users access to the Internet is shown in FIG 3. Users 31 and 32 do not have 
fixed IP addresses. Rather, a user is assigned temporary IP addresses by an Internet Service Provider (ISP) Point of 

35 Presence (POP) 33 from a pool of such addresses kept by the POP 33 for this purpose. A POP comprises at least one 
host (not shown). When a user 31 terminates his session of access to the Internet 35. the IP address is returned to the 
POP 33. Thus, over successive access sessions, a user 31 is likely to have several different IP addesses. 

Known filters are not well suited to providing appropriate access control for networks such as a POP. This is 
because a known filter is only afc)le to load and store rules through the intervention of a system administrator, a slow and 

40 cumbersome process. Indeed, the system administrator generally must hand-code rules in a fomriat specific to the filter 
platform. With known filters, it is impractical to inplement the access rules of a specific user (known as the users local 
rules") who is accessing and leaving the network with changing network addresses. 

This problem is illustrated in FIQs 5a and 5b. FIG 5a shows a first session where a first user 51 has requested Inter- 
net access and been authenticated by a POP and been assigned IP address B from the POP IP address pool 52. Like- 

45 wise, a second user 53 has been authenticated and been assigned IP address E from the pool 52. A rule base 53 is 
loaded into a filter to regulate the flow of information between users 51 and 53 and the hosts P. U. V and W on the Inter- 
net. The rule fcase shown in FIGs 5a arKl 5b show only the source and destination addresses for each rule, and omit 
source and destination ports and protocol for simplicity. 

Both users stop accessing the Internet and then later request access again and are authenticated for a second ses- 

50 sion, shown in FIG 5b. This time, the first user 51 is assigned IP address E from the pool 52, and the second user is 
assigned IP address A. With the newly assigned network addresses, the rule base in the filter is now out of date, con- 
taining no rules for the second user, and the wrong rules for the first user, which has been assigned the IP address 
assigned to the secortd user during the first session. Even if txjth users had fortuitCMJSly been reassigned the same IP 
addresses for their second sessions, if either user's security needs had changed betwe^ sessions, a new rule base 

55 would have had to be loaded into the filter. As discussed above, loading rules into known filters is tedious. Loading and 
dropping such rules with the frequency that users access and leave a POP is impractical for known filters. 

The inflexibility of known filters often necessitates the implementation of rule bases that are too broad for a given 
application. Without the possibility of easy updates, it is sintpler to mandate global rules that apply to all AIS behind a 
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fitter rather than to load rules that apply to specific hosts. In such a case, all AIS behind the filter must conform to the 
nnost restrictive security requirements of any such AIS, resulting in overly restrictive filtering. 

The shortcomings of known filters are illustrated by some of the architectures presently used to provide information 
systems security for a POP. The architecture shown in FIG 3 provides a minimal level of security through an authenti- 

5 cation system 34 which limits access to a predetermined list of authentcated users. But the list of users must generally 
be entered by hand by the system administrator, and so cannot be easily changed. Further, once access is granted the 
access is unlimrted. Information may flow to and from users 31 and 32 from the Internet 35 without regulation, providing 
no security past the initial authentication process. This exposes users 31 and 32 to the risk of hacker attacks from users 
and hosts on the Internet, possibly resulting in the theft or unauthorized manipulation of user data. 

10 The architecture illustrated in FIG 4 shows another known solution to providing information systems security on a 
POP The known filter 46 implements a security policy for packets f lowng between the Internet 45 and hosts 41 and 42 
However, the rule base in the filter 46 must still be formulated and loaded by the system administrator. Further, the net- 
work addresses of the users 31 and 32 are likely to change on a session by session basis. TWs means that it is only 
practical to load general. •'globaP rules into the filter that are valid for all of the users. Thus, for example, if user A does 

15 not Wish to receive packets from a particular host on the Internet, the filter rule base must drop all such packets, thus 
cutting off user B from receiving packets from that Intern^ host as well. In this way. the global rule base necessitated 
by the limited capabilities of known filtering systems is almost always too broad. Another disadvantage is that rt is diffi- 
cult to change the filter rule base to accommodate changing security needs of either user 41 or 42. 

Another architecture that provides security on for each peer is shown in FIG 6. Here, filters 66 and 67 are placed 

20 between users61 and 62. respectively, and the POP Requiring every userto have its ownfilter is an expensive solution 
that is impractical to implement. 

\Nhai is needed is a filtering system and method that accurately and efficiently implements local rule bases on a 
network whose configuration and security needs are constantly changing. Such an invention would provide peer-level 
security flexibly and inexpensively, with little intervention required from a system administrator. 

25 

Summary of the InvantiQn 



The present invention comprises a fitter that efficiently stores, implements and maintains access rules specific to 
an individual computer on a networt< with rapidly changing conf^urations and security needs. This advantageously 
allows an individual conrputer (a peer) to implement its security policy on a filter shared by many such comouters on a 
network. 

When a local rule base is no longer valid because the peer is no longer authenticated to the fitter in accordance 
with the present invention, the peer's local rule base is "ejected/ i.e.. a logical operation is carried out at the filter 
whereby the local rule base is deleted from the fitter. This logical operation of stored data in a computer is well known 
in the art. This effectively regulates the flow of information on session-by-session basis, which is especially advanta- 
geous in AIS where individual users and hosts have different security needs that change from time to time. For exanple. 
the present invention is useful for implementing a parental control system wherein a parent is able to regulate the 
access to certain types of licentious material on the Intemet for household Internet access accounts. 

The present invention allows a single device to flexibly and efficiently regulate the flow of information in accordance 
with security policies that are specifically taitored to the individual user or host. Advantageously, no inten^ention on the 
part of the system administrator is ordinarily required in the ordinary functioning of the present invention. Unlike known 
fitters, the present invention is able to accommodate users with temporary network addresses as easily as hosts with 
fixed network addresses. 

In accordance with the present inventfon. each individual peer is authenticated upon requesting network access 
The peer's local rule base is then loaded into the fitter of the present invention, either from the peer itself, or from 
another user, host or peer. When the peer is no longer authenticated to tfie POP (e.g.. the peer loses conn^vity or 
logs off from the POP), ttne peer's local rule base is ejected (deleted)from the filter. 

Brief Description of the Drawings 

shows the process of identification and authentication, 
shows a firewall interposed between a corporate network and the Internet. 

shows users connected to the Internet through a Point of Presence (POP) having an authentication system 
shows a POP witti an authentication system and a filter, 
shows a first Internet access session for two users through a POP having a filter, 
shows a second Internet access sessfon for two users through a POP having a filter, 
shows a known method of providing user level access control to tiie Internet, 
shows a rule base architecture in accordance with an embodiment of the pres^ invention. 



FIG1 
FIG 2 
FIG 3 
FIG 4 
55 FIG 5a 
FIG 5b 
FIG 6 
FIG 7a 
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FIG 7b shows an implementation of the rule base architecture shown in FIG 7a. 

FIG 8a shows a POP with a filter and an authentication system that provkles access to the Internet to three peers. 

FIG 8b shows a sinplified depiction of the rule bases belonging to the peers shown in FIG 8a. 

FIG 8c shows a hash function applied to the network addresses of the three peers shown in FIG 8a. and the local- 

in and local-out rule bases. 
FIG 8d shows a detailed representation of the k>ox "Check Ijocal Rule Base" shown in FIG 7b. 
FIG 9 shows an implementation of the present invaition. 

Detailed Description 



In accordance with the present invention. FIG 7a shows an emtxxjiment of a rule architecture that incorporates the 
functionality of known filters by including a glofc>al pre-rule base 701. a local rule base 702 and a global post-rule base 
703. 

The global pre-rule k>ase 701 usually comprises general rules that apply to all hosts behind the firewall, arxl are 
15 most efficiently applied before any local rules. An example of a glok>al pre-rule is that no telnet (remote login) requests 
are allowed past the firewall. 

The local rule base 702 comprises the set of peer rule bases loaded into the filter for authenticated peers. These 
rule pertain to specific hosts. An exanrtple of a local rule is that host A may not receive e-mail from beyond of thef irewall. 
The global post-rule base 703 comprises general rules that are most efficiently applied after the glot>al pre-rule 
20 base and local rule k>ase is searched. A rule applied in the global post-rule base need not have the same effect as if It 
were applied in the gloisal pre-rule base. Consider the above example prohibiting the reception of certain telnet 
requests. If this rule is placed in the glottal post-rule t>ase, the local rule base is searched first. arKi may contain a rule 
allowing a telnet request through for a particular peer. If such a rule is fburKi in the local rule base, the gtoi>al post-rule 
i>ase is not subsequently searched, and the telnet request is allowed to pass. Consider the different effect of the same 
25 rule when it occurs in the global pre-rule base, which is to block all telnet requests for all hosts behind the firewall. The 
importance of the order of applying rules is evident from a more thorough consideration of the method of the present 
invention. 

FIG 7b illustrates a f bw chart of packet processing or filtering in accordance with the present invention. As shown 
therein, a packet entering the filter is first checked against a global pre-rule base 71 1 containing rules for all hosts and 
30 users having network addresses behind the firewall. 

If a corresponding rule is found and the prescribed action is DROP, the packet is dropped 712. If a corresponding 
rule is found and the action is PASS, the packet is passed 720. If no corresponding rule Is found, then the local rule base 
is checked 713. 

The local rule base 702 is the set of all per user rule bases that are dynamically loaded upon authentication and 
35 ejected upon loss of autinentication in accordance with the present invention. 

If a con'esponding rule is found in the local rule base and the action is DROP, the packet is dropped 714. If a cor- 
responding rule is found and the action is PASS, the packet is passed 721. If no corresponding rule is found, then the 
global post-rule base Is checked 715. 

If a con-esponding rule is found in the global post-rule base and the actk>n is DROP, the packet is dropped 716. If 
40 the action is PASS, the packet is passed 722. If no conresponding rule was found In any of the rule bases, then the 
packet Is checked against the default rule 71 7. whose action is generally to DROP the packet. If the packet corresponds 
to the default rule, then the default action is carried out 723. If the packet does not match the default rule, then an error 
condition occurs 724. 

This rule base architecture advantageously retains the functionality of known filters. For example, if there are rules 
45 in the glot}al pre- or post-rule base only, the filter behaves the same as known filters. If there are only rules in the local 
rule base, the filter has all of the new and innovative features of the present invention without having global rules. 

It is advantageous to implement the present invention with a system for efficiently seardiing the local rule base for 
corresponding rules for a given packet. A system that provides such efficiencies uses a hash function to generate an 
index for the rules. A hash function maps a string of characters to an integer. As is known in the art, a character string 
50 is represented as binary numbers irside a computer. An example of a hash furvrtion would be to take the tiiird. fourth 
and fifth bytes of a character string as it is stored in a computer as the first, second and third digits of an integer to be 
associated with the string. A string on which a hash function has been carried out is said to be "hashed," and the result- 
ing integer is refened to as the "hash" of the string. 

This is earned out by logically dividing the local rules into local-in rules and local-out rules. A local-in rule is any rule 
55 that applies to a packet whose destination address conesponds to a network address behind the firewall. For example, 
suppose a host with networic address A is befiind the firewall, and hosts B. C and D are outside the firewall. The follow- 
ir^ are examples of local-in rules for host A. following the format SOURCE ADDRESS. SOURCE PORT-> DESTINA- 
TION ADDRESS. DESTINATION PORT: Protocol: ACTION: 
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B. 31-->A.33:4:DROP 

C. 64-->A.45:4:PASS 

D. 11->A.17:4:PASS 

wall. Local out-rules for the above exanple are: 

A.44-->B.70:4:PASS 
A,13-->C.64:4:DROP 
10 A,12-->D,17:4:DROP 

irJil ^^'^^V^^^ invention, a hash function h is cairied out on the network address of the owner of a 

A^hnJ? If H assodates an integer with a string. For the above example in which a host with network 

address A ( host A") has a local rule base, a hash function would be carried out on A: h(A)=N , where N is an integer 
An example of such a hash function is to take the last decimal digit in each octet of an IP address and compose an 
integer for the hash number. Thus, for example, the IP address 123.4.46.135 would have a hash value of 3465 

After the hash function is carried out. a local-in and a local-out hash table is generated. These tables are essentially 
indexes searchable on hash numbers derived from network addresses of peers, where each hashed peer network 
addr^ pointe to that peer's local-in and local-out rules. Thus. If A is the network address of peer A. and if h(A)=32 
then 32 would pant to peer A's local-in and local-out mies in the local rule base 

m Pii\^*l"1^^^I!l!^'^^'"^ accordance with the present invention may be demonstrated with the aid 

r n if; ^' ^ ^ af<*«actufe where peers A 801 . B 802. and C 803 are behind a 

firewall 804 having a filter 805 connected to a network 806 having hosts G 807. H 808 and 1 809 These letters rSr^rt 
networtc addresses. FIG 8b shows the local mie base assodat'ed with each host. For sinSfcitrS* mte inThrruS 
b^es IS shcMm only a network source and destinatton address; the source and destination ports and protocol num- 
bers are not shown Jhe asterisk represents a wildcard indicating any host For example, this feature may be advanta- 
♦►^^^Illl'i®'"*'!? -n accordance wHh the present invention by including wildcards in one or more of the four octets 
S ^^mlmJZ^' ^'"^ specifications are all valid for use in rule bases in accordance 



IS 



so 



25 



30 



40 



45 



SO 



ss 



123.*.233.2 

34.*.M55 

*.*.*.32 



iCin J^l^ ? ?T "^^ t° accordance with the present invention in a similar fashion in any other com- 

ponent m the 5-tuple. i.e.. the source and destination ports and the protocol 

anH ^^.n^ ^"^^ ^ "^^""^ fro™ 'oca' f"'es Shown in FIG 8b 
and hash functionhcamed out on networkaddresses A. BandC823.VVhenapacket is received by thefilter 805 the 
filter carries out the same hash function h on the packet's source and destination address 824 

ro^^'^if ^^-^a^ ^'^ ^ ^ searched in accordance with the present invention FIG 8d 

represents a detailed view of the box "Check Local Rule Base" 71 3 in FIG 7b 

^Fir"^'^^'*^^^ with the pr^ent invention, if there was no corresponding rule found in the global pre^ule base 71 1 
(FIG 7b). then the lorahn hash table is efficiently searched for a rule that corresponds to the packS 841 If a cone- 
sponding ru e b found and the action is DROP, the packet is dropped 842. If the action is PASSor there no cone^ 
spending rute. the peer-out hash table is checked 843. If a corresponding mle in the hash-out table is found and the 
ZZl ■ *'!^tf " """^"^ " ^'^^^ " "''responding rule, and if S l2^ one 

h^J^Si?^^ JT'T'^"" KiJl" P^^^* " no corresponding rules in e«her 

nasn taue 846. then the post-rule base is checked 71 5 as shown in FIG 7b. 

Were it not for the peer-in and peer-out hash laUes. the rules wouM have to be searched far less efficientiv bv 
searchmg *je entirerule base for rule identifiers (e.g.. S-tuples) that match the packet identifier {e.g.. sX^t^^Tpart 
(rf the rule tha dentrfies the packet to which the mle app^^^ 

rules through a speedier search. Thus, the scope and computational time needed to carry out the s^rch is substan- 
^J^^"^^^y reduced, reducing the delay in packet transit time caused by the inte^Wo,^^^ a^Sr 
between the packet source and destination. iiiB>Mos.nion or a rmer 

th» S.^^!" * authenticated 91 in accordance with the present invention. Upon authentication 

the peers local rule base is loaded mto the fitter 92. A hash function is carried out on the peer's network addrei 93. 
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and the filter's peer-in and peer-out hash tables are updated 94 with pointers to the peer's peer-In and peer-out rules. 
When the peer is no longer authenticated 95. the peer's local rules are ejected from the filter local rule base 96, and the 
pointers to the peer's peer-in and pear-out rules are ejected from filter's peer-in arvj peer-out hash tables 97. 

The present invention provides new security functionality on a per user basis to fiH&rs and firewalls, while maintain- 
5 Ing the functicnality of known filters. The present Invention allows for the dynamic adjustment of local rule bases that 
can be dynamically tailored to meet the changing needs of the individual user. 

Where technical features mentioned in any daim are followed by reference signs, those reference signs have been 
included for the sole purpose of increasing the intelligibility of the claims and accordingly such reference signs do not 
have any limiting effect on the scope of each element identified by way of example by such reference signs. 

10 

Claims 

1 . A filter for providing peer level access control on a network having a peer with a local rule base, wherein said filter 
comprises: 

a. means for accessing a peer's local rule base; and 

b. means for receiving a packet having a packet identifier, identifying a corresponding local rule, and carrying 
out the action of the corresponding local rule on the packet while said filter is filtering packets for the peer, on 
the F>acket. 

2. The filter of daim 1 . further conrprising: 

c. means for ejecting said local rule base from said filter. 

25 3. The filter of daim 1 . wherein the packet identifier comprises a source and destination address, a source and desti- 
nation port, and a protocol iderttifier. 

4. The filter of daim 1 . wherein said means for accessing the local rule base comprises receiving and storing the local 
rule t>ase. 

30 

5. The filter of daim 1 , further comprising means for authenticating the peer. 

6. The filter of claim 1 , further comprising a global pre-rule base having a glot>al pre-rule, wherein upon receiving the 
packet, said filter first searches said global pre-rule base for a rule that corresponds to the packet and carries out 

35 the action of the corresponding global pre-mle on the packet, and wherein if no conresponding global pre-rule is 
identified, the filter searches the local rule base for a rule that corresponds to the packet and carries out the action 
of the conesponding local rule on the packet. 

The filter of claim 1 . further conprising a Q\oba\ post-rule b^e. wh^ein the global post-ruie base is searched for a 
rule that corresponds to the packet, and the action of a global post-rule is canried out if it corresponds to the packet 
only if no corresponding rule In saki global pre-rule t>ase and no correspotKling rule in said local rule base are iden- 
tified. 

The filter of claim 1, further comprising a default rule, wherein if no corresponding pre-gld^al rule and no corre- 
sponding local rule and no corresporKling post-global rule are idaitified. said filter carries out the action of said 
default rule if said default rule corresponds to the packet, and generates an error condition if said default rule does 
not correspond to the packet 

The filter of daim 1 , wherein the peer has a network address, and wherein the packet identifier comprises a packet 
source address and a packet destination address, and wherein a local rule comprises a rule source address, a rule 
destination address and an action, further comprising a local-in hash table havir^ an in-pointer derived by applying 
a hash function to the network address of the peer, said in-pK>inter pointing to a peer's local rule whose rule desti- 
nation address corresponds to tfie netwwk address of said peer. 

55 10. The filter of claim 1 , wherein the peer has a network address, and wherein the packet identifier comprises a packet 
source address and a packet destination address, and wherein a local rule conprises a rule source address, a rule 
destination address and an action, further comprising a local-out hash tat^e having an out-fX)inter derived by apply- 
ing a f^sh function to the network address of the peer, said out-pointer pointing to a peer's local rule whose rule 
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source address corresponds to the network address of said peer. 
11. A method for providing peer-level access control on a network, said method comprising; 

5 a. accessing a local rule tkase of a peer; 

b. receiving a packet having a packet identifier; and 

c. searching the local rule base, identifying a local rule that corresponds to the packet identifier, and carrying 
out the action of a local rule if the local rule con-esponds to the packet 

10 12. The method of claim 1 1 , further conrprising the step of: 

d. ejecting the local rule base. 

13. The method of claim 1 1 , wherein the packet identifier comprises a source and destinatbn address, a source and 
IS destination port, and a protocol identifier. 

14, The method of claim 1 1 . wherein accessing a local rule base comprises the steps of receiving and storing the local 
rule base. 

20 15. The method of claim 11, further comprising step of authenticating a peer before accessing the peer's local rule 



40 



45 



16. A method for providing peer-level access control on a network with a peer, said method comprising: 

25 a. receiving a packet having a packet identifier; 

b. searching a global pre-rule base and identifying a global pre-rule that con-esponds to the packet; 

c. carrying out the action of a global pre-rule if the global pre-rule con-esponds to the packet: 

d. accessing a focal rule base of a peer; 

e. if no corresponding global pre-rule is found in the global pre-rule base, searching the local rule base, identi- 
30 fying a local rule that corresponds to the packet, and can-ying out the action of a local nile if the local rule cor- 
responds to the packet. 

1 7. The method of claim 1 6, further comprising the step of: 
35 f. ejecting the local rule base from the filter. 

18- The method of claim 1 7, further conprising the steps of: 



g. if no corresponding global pre-rule Is found in said global pre-rule base and no corresponding local rule is 
found in safo local rule base, searching a global post-rule base for a global post-rule that corresponds to the 
packet; and 

h. carrying out the action of a global post-rule if the global post-rule con-esponds to the packet. 
1 9. The method of claim 1 8, further comprising the steps of; 



I. if no con^esponding rule is found in the global pre-rule base and no corresponding rule is found in the local 
rule base, and no corresponding rule is found in the global poet-rule base, determining if the packet con-e- 
sponds to a de^utt rule; and 

j. carrying out the action of the default rule if the default rule corresponds to the packet, and generating an en-or 
50 condition if the default rule does not correspond to the packet. 

20. The method of daim 16. wherein the peer has a network address, and wherein the packet identifier comprises a 
packet source address and a packet destination address, and wherein a local rule comprises a rule source 
address, a rule destination address and an action, and wherein the local ride base having a local rule whose rule 
55 destination address con-esponds to the network address of the peer is searched for a local rule that corresponds 
to the packet, and the action of a local rule is carried out if the local rule con-esponds to the packet; conprisina the 
steps of: ^ 
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a. deriving an ln-pc»nter by applying a hash function to the network address of the peer; 

b. storing the in-pointer in a pe^-in hash tat^e such that the in-pointer points to a local rule whose rule desti- 
nation address corresponds to the network destination address of the peer; 

c. receiving a packet; 

5 d. applying the hash function to the network destination address of the packet; 

e. searching the local rul^ to which the in-pointer corresponding to the hashed packet network destination 
address points for a rule that corresponds to the packet: and 

f. carrying out the action of a rule if the rule con^esponds to the packet. 

10 21 . The method of claim 20, further conrprising the step of: 

g. deleting the peer's in-pointers in said local-in hash table. 

22. The method of daim 16, wherein the peer has a network address, and wherein the packet identifier comprises a 
IS packet source address and a packet destination address, and wherein a local rule comprises a rule source 
address, a rule destination address and an action, and wherein the local rule base having a local rule whose rule 
source address corresponds to the network address of the peer is searched for a local rule that corresponds to the 
packet, and the action of a local rule is canrled out if the bcal rule corre^x>nds to the packet, comprising the steps 
of: 

20 

a. deriving an out-pointer by applying a hash function to the network address of the peer; 

b. storing the out-pointer in a peer-out hash table such that the out-pointer points to a local rule whose rule 
source address corresporvjs to the network source address of the peer; 

c. receiving a packet: 

25 d. applying the hash function to the network source address of the packet; 

e. searching the local rules to which the out-pointer corresponding to the hashed packet network source 
address points for a rule that correspords to the packet; and 

f. canying out the action of a rule rf the rule corresporvJs to the packet. 

30 23. The method of daim 22. further comprising the step of: 

g. deleting the peer's out-pointers in said local-out hash table. 

24. A filter for providing peer-level access control on a network with a peer, said filter comprising: 

35 

a. means for authenticating a peer; 

b. means for accessing rules from a peer that prescribe a PASS or DROP action to be carried out on a packet; 

c. means for receiving a packet; 

d. means for searching for and identifying rules that match the packet; and 

40 e. means for candying out the PASS or DROP action of a rule that corresponds to the packet. 

25. Thefilterof daim 23. further comprising: 

f. means for ejecting the rules of a peer. 

45 

26. The filter of daim 24, further comprising: 

g. means for authenticating a peer. 

so 
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